The customer is always right, and we at Netsparker could not agree more to this statement. So what could be better than an interview with one of our web scanner’s users? This interview with Klemen Stirn, the project-lead, developer and support team for Hesk, explains why he found Netsparker to be a great tool for automating and scaling-up web application security, due to its ease of use and ample support.
Believe it or not, Hesk is currently a “one man team”. I fulfill the roles of project-lead, developer and support team. Hesk is free Help Desk Software allowing businesses to setup a web ticket-based customer support system. The philosophy behind Hesk is that not everyone needs a large and complicated customer support software, there is a need for a small and simple alternative.
Sure, I’ll do my best! Because Hesk is anonymous to download, determining an exact user-base is a little tricky. Looking at the Google Analytics data and download statistics, I would estimate that there are somewhere between 50k-100k installations and active users.
It has been both a challenge and a learning process. Obviously, I needed to pay close attention to any code or application functionality that might result in potential attack vectors — a time consuming and detail oriented process.
It has also helped that Hesk ships with source code. As a result, I have benefited from several third-party code reviews performed by pen testers. As well, several vulnerabilities have been reported by Hesk end-users.
Well, the biggest change is that I now have Hesk installed on a test server. I use Netsparker Enterprise to perform full scans as well as any required re-scans. My process now involves using Netsparker Enterprise before any new version is pushed into a live environment or made available to the public.
I’ve never relied upon any automated web application security scanners before so this has resulted in a huge improvement in efficiency and confidence.
I’m able to write more secure code because Netsparker brings the latest vulnerabilities and best practices to my attention in a timely manner.
I feel more confident that the latest release isn’t introducing new vulnerabilities. Trusting that you’re releasing a secure application (to the best extent possible), makes it easier to sleep at night.
Absolutely! Netsparker Enterprise found a confirmed XSS vulnerability inside the administrator control panel.
Also, it helped to identify several necessary feature enhancements that included forcing SSL connections, marking cookies as secure and HttpOnly where needed and adding X-Frame-Options tags to assist in preventing Clickjacking.
I don’t — which is a good thing. Netsparker is very intuitive and easy to use so I’ve never had to rely on support.
Free software is usually backed by a relatively small number of active developers; in the case of Hesk, it's a "one man show".
Because of this, any automated tool that performs a highly-specialized task (for example, a web application security scanner) is a godsend.
Netsparker Enterprise is one such tool. It was a breeze to setup. I started my first cloud scan in literally a few minutes. This allowed me to spend precious time and resources on other priorities while waiting for the scan to complete.
Scan results are well organized, prioritized and provide verbose information where needed. For example, as a developer, I found the exact HTTP Request and Response very useful for reproducing issues and pinpointing/fixing them.
At times it felt like having someone looking over my shoulder pointing out even the smallest details that need attention; things that may take very little developer effort to fix, but in the end, help to make web applications like Hesk even more secure.
I have a hard time finding any negative aspects to Netsparker Enterprise. It is hands down a great tool — all you could wish for from an automated web security scanner. Easy to use and detailed with a low false positive rate.
“Netsparker are not just another vendor from where we purchase any other software, they are like business partners. We have to trust their products do a good job to ensure the security of our cloud-based platforms, else our business’ reputation could on the line. And Netsparker have earned such trust.”Read the RPM
"As opposed to other web application scanners we used, Netsparker is very easy to use and does not require a lot of configuring. An out of the box installation of Netsparker Web Application Security Scanner can detect more vulnerabilities than any other web application..."Read the ING
“We like Netsparker not only because it is able to be configured quickly, but also the scans themselves are completed quickly, reliably and without false positives (a large timesaver in and of itself).”Read the Sumeru